#24526 [Fbk->Opn]: Horde+Imp cause a segmentation fault

[kaMe at barcolabeach dot org]

 ID:               24526
 User updated by:  kaMe at barcolabeach dot org
 Reported By:      kaMe at barcolabeach dot org
-Status:           Feedback
+Status:           Open
 Bug Type:         PCRE related
 Operating System: Linux 2.4
 PHP Version:      4.3.3RC2-dev
 New Comment:

Here i am. Now with 
Apache/1.3.27 (Unix) PHP/4.3.3RC2-dev and the original bug
(imap-related).

#0  0x401e0e96 in _php_imap_address_size (addresslist=0x82b08e8)
    at
/root/temp-apache/php4-STABLE-200307141330/ext/imap/php_imap.c:3643
#1  0x401db8c4 in zif_imap_fetch_overview (ht=3,
return_value=0x8374ebc, this_ptr=0x0, return_value_used=1)
    at
/root/temp-apache/php4-STABLE-200307141330/ext/imap/php_imap.c:2722
#2  0x4030c622 in execute (op_array=0x81586bc) at
/root/temp-apache/php4-STABLE-200307141330/Zend/zend_execute.c:1616
#3  0x402f9494 in zend_execute_scripts (type=8, retval=0x0,
file_count=3)
    at /root/temp-apache/php4-STABLE-200307141330/Zend/zend.c:886
#4  0x402bdfec in php_execute_script (primary_file=0xbffff284) at
/root/temp-apache/php4-STABLE-200307141330/main/main.c:1685
#5  0x40311cfe in apache_php_module_main (r=0x811a714,
display_source_mode=0)
    at
/root/temp-apache/php4-STABLE-200307141330/sapi/apache/sapi_apache.c:54
#6  0x40312dc0 in send_php (r=0x811a714, display_source_mode=0, 
    filename=0x811b45c
"/usr/local/apache1.3.27/htdocs/horde/imp/mailbox.php")
    at
/root/temp-apache/php4-STABLE-200307141330/sapi/apache/mod_php4.c:620
#7  0x40312e3f in send_parsed_php (r=0x811a714) at
/root/temp-apache/php4-STABLE-200307141330/sapi/apache/mod_php4.c:635
#8  0x806c0d9 in ap_invoke_handler () at eval.c:88
#9  0x8081c7f in process_request_internal () at eval.c:88
#10 0x8081ce6 in ap_process_request () at eval.c:88
#11 0x8078576 in child_main () at eval.c:88
#12 0x8078731 in make_child () at eval.c:88
#13 0x80788ac in startup_children () at eval.c:88
#14 0x8078f3d in standalone_main () at eval.c:88
#15 0x80797ac in main () at eval.c:88
#16 0x4008d2eb in __libc_start_main (main=0x8079408 <main>, argc=2,
ubp_av=0xbffff6c4, init=0x804eec8 <_init>, 
    fini=0x80af73c <_fini>, rtld_fini=0x4000c130 <_dl_fini>,
stack_end=0xbffff6bc) at ../sysdeps/generic/libc-start.c:129


Previous Comments:
------------------------------------------------------------------------

[2003-07-10 08:50:36] [EMAIL PROTECTED]

PLEASE try this under Apache 1.3.27 before we continue hunting ghosts
here. 

------------------------------------------------------------------------

[2003-07-10 02:23:15] kaMe at barcolabeach dot org

It seems like it segfaults reading the file, not executing it. Thinking
was the regexp to cause the segfault, i tryed to delete it; the result
was that the segfault comes on the next regexp. I tryed to delete
both.. No more regexp in the function: apache segfaults reading a
comment!

So i tryed to delete some characters from the top of the file, now
apache segfaults some characters down than before, reading a comment. 

(I have the full strace session, if you want) 

open("/usr/local/apache2/htdocs/horde/lib/Browser.php", O_RDONLY) = 9
fstat64(0x9, 0xbfffa27c)                = 0
fstat64(0x9, 0xbfffa1dc)                = 0
lseek(9, 0, SEEK_CUR)                   = 0
lseek(9, 0, SEEK_SET)                   = 0
read(9, "<?php\n/**\n * @author  Chuck Hage"..., 8192) = 8192
brk(0x81b8000)                          = 0x81b8000
read(9, "ublic\n     *\n     * @param strin"..., 8192) = 5945
read(9, "", 8192)                       = 0
close(9)                                = 0
--- SIGSEGV (Segmentation fault) ---

------------------------------------------------------------------------

[2003-07-09 18:00:11] [EMAIL PROTECTED]

This might actually be same as bug #24563 is about.
Please try it under Apache 1.3.27.


------------------------------------------------------------------------

[2003-07-09 17:59:09] [EMAIL PROTECTED]

Add some debugging echo's or something there to see what that
$this->agent contains when it segfaults.


------------------------------------------------------------------------

[2003-07-08 11:07:11] kaMe at barcolabeach dot org

I tryed stracing a httpd -X process, the last few lines was:


open("/usr/local/apache2/htdocs/horde/lib/Browser.php", 
[.. cut]
read(10, "<?php\n/**\n * The Browser:: class"..., 8192) = 8192
brk(0x827e000)                          = 0x827e000
brk(0x827f000)                          = 0x827f000
brk(0x8283000)                          = 0x8283000
brk(0x8293000)                          = 0x8293000
read(10, "(\'|HotJava/([0-9]+)|\', $this->ag"..., 8192) = 7787
read(10, "", 8192)                      = 0
close(10)                               = 0
--- SIGSEGV (Segmentation fault) ---

In the /horde/lib/Browser.php, the line with that HotJava regexp is the
number 240:
} elseif (preg_match('|HotJava/([0-9]+)|', $this->agent, $version)) {

Hope this helps..
Tell me if I can help more..

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/24526

-- 
Edit this bug report at http://bugs.php.net/?id=24526&edit=1